chore(deps): update module github.com/cloudflare/circl to v1.6.3 [security] by NumaryBot · Pull Request #58 · formancehq/terraform-provider-stack

NumaryBot · 2026-02-26T02:59:28Z

This PR contains the following updates:

Package	Type	Update	Change
github.com/cloudflare/circl	indirect	patch	`v1.6.1` -> `v1.6.3`

CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl

CVE-2026-1229 / GHSA-q9hv-hpm4-hj6x / GO-2026-4550

More information

Details

CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

CIRCL has an incorrect calculation in secp384r1 CombinedMult

CVE-2026-1229 / GHSA-q9hv-hpm4-hj6x / GO-2026-4550

More information

Details

The CombinedMult function in the CIRCL ecc/p384 package (secp384r1 curve) produces an incorrect value for specific inputs. The issue is fixed by using complete addition formulas.
ECDH and ECDSA signing relying on this curve are not affected.

The bug was fixed in v1.6.3.

Severity

CVSS Score: Unknown
Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P/S:N/AU:Y/U:Amber

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

cloudflare/circl (github.com/cloudflare/circl)

`v1.6.3`: CIRCL v1.6.3

Compare Source

CIRCL v1.6.3

Fix a bug on ecc/p384 scalar multiplication.

What's Changed

sign/mldsa: Check opts for nil value by @armfazh in https://github.com/cloudflare/circl/pull/582
ecc/p384: Point addition must handle point doubling case. by @armfazh in https://github.com/cloudflare/circl/pull/583
Release CIRCL v1.6.3 by @armfazh in https://github.com/cloudflare/circl/pull/584

Full Changelog: cloudflare/circl@v1.6.2...v1.6.3

`v1.6.2`: CIRCL v1.6.2

Compare Source

CIRCL v1.6.2

New SLH-DSA, improvements in ML-DSA for arm64.
Tested compilation on WASM.

What's Changed

Optimize pairing product computation by moving exponentiations to G1. by @dfaranha in https://github.com/cloudflare/circl/pull/547
sign: Adding SLH-DSA signature by @armfazh in https://github.com/cloudflare/circl/pull/512
Update code generators to CIRCL v1.6.1. by @armfazh in https://github.com/cloudflare/circl/pull/548
ML-DSA: Add preliminary Wycheproof test vectors by @bwesterb in https://github.com/cloudflare/circl/pull/552
go fmt by @bwesterb in https://github.com/cloudflare/circl/pull/554
gz-compressing test vectors, use of HexBytes and ReadGzip functions. by @armfazh in https://github.com/cloudflare/circl/pull/555
group: Removes use of elliptic Marshal and Unmarshal functions. by @armfazh in https://github.com/cloudflare/circl/pull/556
Support encoding/decoding ML-DSA private keys (as long as they contain seeds) by @bwesterb in https://github.com/cloudflare/circl/pull/559
Update to golangci-lint v2 by @bwesterb in https://github.com/cloudflare/circl/pull/560
Preparation for ARM64 Implementation of poly operations for dilithium package. by @elementrics in https://github.com/cloudflare/circl/pull/562
prepare power2Round for custom implementations in assembly by @elementrics in https://github.com/cloudflare/circl/pull/564
ARM64 implementation for poly.PackLe16 by @elementrics in https://github.com/cloudflare/circl/pull/563
add arm64 version of polyMulBy2toD by @elementrics in https://github.com/cloudflare/circl/pull/565
add arm64 version of polySub by @elementrics in https://github.com/cloudflare/circl/pull/566
group: add byteLen method for short groups and RandomScalar uses rand.Int by @armfazh in https://github.com/cloudflare/circl/pull/568
add arm64 version of poly.Add/Sub by @elementrics in https://github.com/cloudflare/circl/pull/572
group: Adding cryptobyte marshaling to scalars by @armfazh in https://github.com/cloudflare/circl/pull/569
Bumping up to Go1.25 by @armfazh in https://github.com/cloudflare/circl/pull/574
ci: Including WASM compilation. by @armfazh in https://github.com/cloudflare/circl/pull/577
Revert to using package-declared HPKE errors for shortkem instead of standard library errors by @harshiniwho in https://github.com/cloudflare/circl/pull/578
Release v1.6.2 by @armfazh in https://github.com/cloudflare/circl/pull/579

New Contributors

@dfaranha made their first contribution in https://github.com/cloudflare/circl/pull/547
@elementrics made their first contribution in https://github.com/cloudflare/circl/pull/562
@harshiniwho made their first contribution in https://github.com/cloudflare/circl/pull/578

Full Changelog: cloudflare/circl@v1.6.1...v1.6.2

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

…urity]

coderabbitai · 2026-02-26T02:59:39Z

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

go.mod is excluded by !**/*.mod
go.sum is excluded by !**/*.sum, !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch renovate/go-github.com-cloudflare-circl-vulnerability

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

flemzord · 2026-03-19T16:21:56Z

Closed automatically: bulk NumaryBot security cleanup

chore(deps): update module github.com/cloudflare/circl to v1.6.3 [sec…

7bb350e

…urity]

NumaryBot added the security label Feb 26, 2026

NumaryBot requested a review from a team as a code owner February 26, 2026 02:59

flemzord approved these changes Mar 19, 2026

View reviewed changes

flemzord enabled auto-merge March 19, 2026 16:08

flemzord closed this Mar 19, 2026

auto-merge was automatically disabled March 19, 2026 16:21
Pull request was closed

NumaryBot deleted the renovate/go-github.com-cloudflare-circl-vulnerability branch March 19, 2026 17:41

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update module github.com/cloudflare/circl to v1.6.3 [security]#58

chore(deps): update module github.com/cloudflare/circl to v1.6.3 [security]#58
NumaryBot wants to merge 1 commit intomainfrom
renovate/go-github.com-cloudflare-circl-vulnerability

NumaryBot commented Feb 26, 2026 •

edited

Loading

Uh oh!

coderabbitai bot commented Feb 26, 2026

Review skipped

Uh oh!

flemzord commented Mar 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

NumaryBot commented Feb 26, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

CIRCL has an incorrect calculation in secp384r1 CombinedMult in github.com/cloudflare/circl

Details

Severity

References

CIRCL has an incorrect calculation in secp384r1 CombinedMult

Details

Severity

References

Release Notes

v1.6.3: CIRCL v1.6.3

CIRCL v1.6.3

What's Changed

v1.6.2: CIRCL v1.6.2

CIRCL v1.6.2

What's Changed

New Contributors

Configuration

Uh oh!

coderabbitai bot commented Feb 26, 2026

Review skipped

Uh oh!

flemzord commented Mar 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

NumaryBot commented Feb 26, 2026 •

edited

Loading

`v1.6.3`: CIRCL v1.6.3

`v1.6.2`: CIRCL v1.6.2